Ok, lets argue this some more.

Even with application based execution control code is running on your machine:
a) Code is running in the network layer before it reaces the process layer.
b) Code is running as parts of data files or incoming data streams
c) Code could be running before the driver or execution control service/program is started
d) same applies at system shut down
e) IT innovation itself makes the border between data and code diffuse.
- Due to thin client and distributed processing developments the architecture of the OS allows for code to run dynamically
- Object based programming has left the old data and functionality seperation. This means that C++ or C# programs have a different way of adressing code and data than old fashioned C programs.

Regards Kees

Example

http://membres.lycos.fr/nicmtests/

The fuzz about Preuba.exe

http://gladiator-antivirus.com/forum/index.php?showtopic=64264

Recently I read something about ShadowDefender running together with AE coul dnot prevent writing to disk directly

 

Yes that is safe to assume, but there is no soft that will provide this 100% coverage. And even when there would be such a perfect software designer with this 100% knowledge. His soft would have bugs of its own and therefore would not be able to provide 100% security. And even when there would be a perfect software developer which would be able to program 100% reliable soft, than the 100% would only reflect the knowledge of the moment the software designer put the specs on the table. In the time lapse it would take to program the specs (the problem of the rabit and the turtle) a new exploit or new way of executiong code could be engineered and the perfect software designer and perfect software developer could still not guarantee this 100%.

Taking all these imperfections into account, it is a near miracle when Solcroft would be able to provide this 100% in his test to proof.

 

That's why I replace my complete system partition with a new one during each reboot. The softwares in my system partition are not 100% protected and full of bugs, but they will always be the SAME not compromised softwares.

There is nothing better than using a clean and unused system partition after each reboot and that's what I do in practice.

 

Hi Kees1958,
Please provide a link to this discussion so we can investigate.

Thanks
Mike

 

Coldmoon,

I am sorry. Trouble with the Internet is the who says so becomes irrelevant. A nut case claiming something spreads some noise.

I will correct the post it was Anti Executable and Shadow Defender

https://www.wilderssecurity.com/showpost.php?p=1158024&postcount=1

 

The main problem with theoretical discussions is that there is no definable limit.

 

These are not executables. (A) belongs to the control domain of a firewall. (B) falls within the jurisdiction of both firewalls and HIPS, and easily stopped as well.

Only if some other code instructed those code to do so. And that other code is easily blocked.

Technical mumbo jumbo. Something more substantial please.

I can easily block those with the greatest of ease even with the woefully-outdated SSM Free. Would you like to see evidence of that?

 

Hmm if you already pick your software carefully and run only safe programs, why do you need the likes of SSM to tell you that the executable you just clicked on is trying to run?

You might as well cut out the middle man and run the software without the prompt!

Not to say that warning you when an exe starts is not useful (it can be useful against say some exploit causing something unexpected to run), but i find it quite useless against threats that result from programs you choose to run yourself...

 

Bingo.

 

But why not just sandbox?

It seems the scenario with exploits almost always comes through the same few applications, so why not just sandbox those?

Why suffer thorough the vast majority of useless prompts generated by you choosing to run something? By doing a system wide whitelist of processes, you need to do at least 3+ clicks (1 to start, 1 to answer the resulting prompt, at least 1 more to set the rule) when in the past you only had to do it once.

 

Because sandboxing allows execution nonetheless. And once execution is carried out, your guarantee of 100% defense is lost. Prueba aka Bifrose is one of the more prominent examples of this that I can recall - both Sandboxie and DefenseWall were defeated by SSDT unhooking, and the trojan escaped from the sandboxed environment to the host computer. On the other hand, even though SSM Free and ProcessGuard fail to defend themselves from SSDT unhooking, or any of the dozens of techniques with which they can be bypassed, they can block execution - and make everything else moot. 100% defense against executable malware.

We've had exploits from word processors to media players to image viewers to pdf readers, and now Excel, as the latest and newest example. Same few applications? I think not. Fact: anything more complex than "Hello World!" can potentially be exploited. Possibly even Notepad.

Learning Mode.

This is the reason why I eschew classical HIPS as well. But I think the answer to this question is already beyond the scope of this thread. HIPS may not be suitable for everyone, but antivirus software will NEVER be on equal footing with them in terms of protection power, not by a fricking long shot, at least not for the foreseeable future.

 

Just to add my experiences relevent to this topic.

In a year and a half of browsing through hacked sites,known offending sites and generally mass linking through pr0n land i have yet to have an infection install pass the execution control of ProcessGuard when deny rule is applied to any intercepted exe file

Even with attack surfaces maximised via unpatched sp2+IE6 with lowered security settings+ vulnerable versions of QT,Adobe,Realplayer and Java installed.The 'puter is now a malware magnet for driveby action and sure the exploit(s) fire and code imports but nothing sticks unless

FWIW Often i don't have the window of opportunity to harvest full blown infections so the *deny* routine comes in handy to save the dropper inorder to fire up later for the full infection harvest

So PG free execution control <deny> feature has been 100% effective todate in my high risk ITW travels at preventing solicited infections going native

 

I believe Comodo's Defense+ and ThreatFire also offer something similar to Process Guard's execution Control right?

 

the problem i had with HIPS is i don't know what every svchost.exe is for and i have 6 running in processes right now. i have a bunch of devices on USB so that's probably it, i need a HIPS that has some explanation of what the process is.

 

In SSM Pro > Process Monitor> Click relevant wheel under 'Service Column'> Tool Tip showing what is running under one of my 6 svchost.exe that is running - see screenshot. I am no expert when it comes to HIPS, but I made sure that I installed SSM in a clean operating environment, and ran in Learning Mode for 2-3 days, whilst not installing any new software. Now I hardly get any popups, and when I do, I am not surprised most times.

I like to get popups as it helps to learn about my system and how software interacts.

 

I've had the full version of PG (3.410) since it first came out and couldn't agree more with your sentiments and I have always had a lot of confidence in it. However, times move on and although I still use my six year old XP Home desktop I now have a new laptop with Vista Home Premium on it. PG obviously won't cut the mustard any more (with Vista). Having perused and searched these forums for an alternative I am at a loss to make a decision. I do use Returnil on the laptop but would like something along the lines of PG as well. May I ask your opinion? .. although all opinions would be welcome.

 

Well then, may I opine in saying that users of apps espoused in this Wilders forum are far and above wiser than those that frequent the AV sections.

We are all different and if I ever get stuffed using my favourites, being Sandboxie and Returnil, I'll never let ya'll know anyways!

 

I agree with solcroft on this one. I think that typically HIPS easily will catch 100 % of what all antivirus miss... Only that you may not "recognize" the fact and allow something in... Still this makes it more powerful than any AV in my opinion.

 

If they kept the explanations in the pop ups simple enough that the average user could understand then they would be the cat's meow. However, the average user doesn't speak tech talk so just would click "Allow" just to get rid of the pop up. I can remember when Zone Alarm first came out the deluge of "What does this mean" posts in various security forums. I think in later versions (I haven't used it in years) they lessened the tech speak and that helped a lot.

 

My take on this is that the database they use to document either the behavior or the known hostile should be the priority with a huge emphasis on clear communication. This still where the big focus needs to be for developers. There is a tech talk and and average Joe version required in all cases. Even more important considering the nature of hips... It is an imperative as users need to be able to get it or it render the product ineffective.

 

I completely concur.

And with the results to prove it, been over a year now i think, no AV.

HIPS are indeed very well mapped out and formidable, they sense system/file activity signalling whereas AV's seem to have to run thru each file separately including identifying packers etc. A huge drawback in comparison IMO when it comes to taxing your system's performance. Takes a healthy lot of CPU cycles/resources/memory to power an AV in comparison to HIPS. Plus they seem to hit snags all the time, meaning unexpected conflicts.

 

TF = NO by design, because it is a behaviour blocker

D+ = YES, called image execution control

 

Hope is not lost!

 

HI,

The code execution discussion is somewhat clouded by the fact that running code is defined as running an executable only.

XML, HTML, J2EE, (D)COM, ActiveX, scripts and dynamic code in for instance media files all are examples of dynamic (or interpreted) code or mixing data with code. So it is possible to fool the anti executable part of your HIPS.

This obscured code could also use weaknesses in for instance your graphics card driver to get access to your OS at kernel level, without your HIPS having a defense in place.

That is why I said in a post, look at the release notes of you favourite HIPS over the last two years and you will get the picture. Have a look at the exploit patches of XP and you will find some correlation.

So in my opinion it makes sense to use some sort of AV, simply because it takes out a fair part of the known threats. At the home PC I have installed AVAST. But only the Network, Web, P2P and Internet MAil shields. This means (in line) code is checked only ONCE (before reaching the PC, f.i. embedded code in web pages).

So I am using a mixed approach of HIPS/AV. Yes I use an AV, but only for incoming data streams (with as early as possible intervention). Most AV's also check at reads, writes and execution. This steals a lot of CPU cycles, which I rather give to a HIPS. Even wiser would be running as a limited user, which in itself is an elegant and efficient way of reducing the attack surface.

Regards Kees

 

Actually ThreatFire includes some form of execution control by design. Attempting to launch a program via IE iframe/javascript exploits, and silently via cmd.exe batch files (I'm not too sure about the specifics of this, need more testing + samples) causes a popup. ThreatFire tries to limit execution control only to the scope where it is useful, unlike classical HIPS that whack everything that tries to start up.